5 Abstract A growing number of devices of daily use are equipped with computing capabilities. Today, already more than 98 % of all manufactured microprocessors are employed in embedded applications, leaving less than 2 % to traditional computers. Many of these embedded devices are enabled to communicate amongst each other and form networks. A side effect of the rising interconnectedness is a possible vulnerability of these embedded systems. Attacks that have formerly been restricted to PCs can suddenly be launched against cars, tickets, ID cards or even pacemakers. At the same time the security awareness of users and manufacturers of such systems is much lower than in classical PC environments. This renders security one key aspect of embedded systems design and for most pervasive computing applications. As embedded systems are usually deployed in large numbers, costs are a main concern of system developers. Hence embedded security solutions have to be cheap and efficient. Many security services such as digital signatures can only be realized by public key cryptography. Yet, public key schemes are in terms of computation orders of magnitude more expensive than private key cryptosystems. At the same time the prevailing schemes rely on very similar security assumptions. If one scheme gets broken, almost all cryptosystems employing asymmetric cryptography become useless. The first part of this work explores alternatives to the prevailing public key cryptosystems. Two alternative signature schemes and one public key encryption scheme from the family of post quantum cryptosystems are explored. Their security relies on different assumptions so that a break of one of the prevailing schemes does not affect the security of the studied alternatives. The main focus lies on the implementational aspects of these schemes for embedded systems. One actual outcome is that, contrary to common belief, the presented schemes provide similar and in some cases even better performance than the prevailing schemes. The presented solutions include a highly scalable software implementation of the Merkle signature scheme aimed at low-cost microprocessors. For signatures in hardware an FPGA framework for implementing a family of signature schemes based on multivariate quadratic equations is presented. Depending on the chosen scheme, multivariate quadratic signatures show better performance than elliptic curves in terms of area consumption and performance. The McEliece cryptosystem is an alternative public key encryption scheme which was believed to be infeasible on embedded platforms due to its large key size. This work shows that by applying certain implementational tricks, both hardware and software implementation become feasible and show comparable performance to the prevailing schemes.

6 Another security threat to embedded systems are physical attacks. Embedded systems are often employed in hostile environments where possible attackers have physical access to the device, making side channel analysis possible. The second part of this work explores how to efficiently analyze the side channel resistance of embedded implementations. By applying simulation methods the possibility of evaluating logic styles and circuit designs is presented. By these methods a yet undiscovered weakness in MDPL/iMDPL, a logic style that was, up to now, believed to effectively counteract side channel attacks, is uncovered. Furthermore, a newly developed attack on the KeeLoq cipher is presented. By applying this attack to KeeLoq-based remote keyless entry systems the possible hazards of side channel analysis for embedded systems are demonstrated. Hereby, problems of a practical application of side channel analysis in a black-box scenario and their solutions are highlighted. Finally, advanced techniques of side channel analysis are applied to reconstruct the executed code of a microprocessor by soleley analyzing its power consumption. The presented generic methods can be applied to microcontroller platforms to build a disassembler by means of passively monitoring a single side channel only. Keywords Cryptography, Public Key, Post Quantum, Software, Hardware, Embedded, Security, Side Channel Analysis, Power Analysis, Disassembler. vi

9 Acknowledgements This thesis is the result of three years of research in cryptography which I performed as a member of the Embedded Security Group headed by Professor Christof Paar. Being part of this lively group enabled fruitful interaction with many different people, not only resulting in several joint projects, but also to new friendships. Special thanks to Christof Paar for accepting me as a PhD student and for providing excellent working conditions for me and his whole group. He is exceptional at motivating people and extremely supportive. I also want to thank my colleagues who supported this work in discussions and joint projects, namely Andrey Bogdanov, who defended his thesis back to back with me, Tim Güneysu, the COPACOBANA-tamer, Stefan Heyse who teaches FPGAs and microcontrollers higher math, Markus Kasper, whom I should not have reduced to his beloved hardware Trojan, Timo Kasper, the only remaining long-haired guy in the group, Sandeep Kumar, the easy rider, Kerstin Lemke- Rust, the quiet side channel authority, Amir Moradi whose competence has seriously scared the German immigration authority, Martin Novotny, the real inventor of skype, Axel Poschmann the traveler between worlds, Francesco Regazzoni, the only true European I know, Andy Rupp who definitely beat Dario in the barbecue contest, Kai Schramm who introduced me into the magic world of side channel analysis, Daehyun Strobel, the new Mr. side channel disassembler, Christopher Wolf, a.k.a. Mr. HGI, and Marko Wolf, our car expert. Special thanks to Irmgard, the inofficial boss of the group, who helped me a lot in getting my thesis submitted remotely and in time, to Horst and his unrecognized support in the early phase of the Keeloq project and to Karsten, who have all been an integral part of the group for many years. I also want to thank the students in whose theses I participated as supervisor, of which many contributed to my research efforts and some also led to successful publications, especially Michael Dubs, Martin Goldack, Olli Grieb, Olli Mischke, Sören Rinne, Sebastian Rohde, Björn Weghenkel, and Malte Wienecke. Finally I want to thank Andreas Gornik who supported the writing of this thesis by proof reading and suggesting changes and Jennifer Strauß for creating the wonderful cover picture. Of course special thanks to my parents for their love and support, and to my brother, who often had to do last minute checks of material which he certainly never enjoyed reading. And of course to my wife Ricarda who, besides proof reading and organizing, also provided support, love, and a lot of patience.

13 Table of Contents 5.7 Results Conclusion II Side Channel Analysis 79 6 Introduction to Side Channel Analysis Overview Power Analysis Simple Power Analysis Differential Power Analysis Performing a DPA Countermeasures Against Power Analysis Simulation of Power Leakage in Hardware Motivation Examination of Logic Styles Development of Logic Styles General Examination Methods for Logic Styles Evaluating the Power Leakage of MCML MOS Current Mode Logic (MCML) Design and Simulation Flow Power Analysis of CMOS and MCML Attacking Logic Styles Employing Single Rail Masked Flip Flops Information Leakage of Flip-Flops Attacking Single Mask Bit Registers Simulation Results The Impact of Fault Countermeasures to Side Channel Vulnerability Fault Attacks and Countermeasures Error Detection Circuits for the AES Results of power attacks using simulated data Conclusion Breaking a real System: DPA on KeeLoq Motivation Background Code Hopping Protocol Key Derivation Schemes Related Work DPA on KeeLoq Building a Powerful DPA for KeeLoq xiii

14 Table of Contents Details of the Hardware Attack Details of the Software Attack Attacks and Implications Cloning a Transmitter Recovering a Manufacturer Key Cloning any Transmitter without Physical Access Denial of Service Conclusion Power Disassembler: A Disassembler Based on Side Channel Analysis Motivation Extracting Information from Side Channel Leakage How to Include Code Properties Optimal Instruction Reconstruction Reconstructing a Program from Side Channel Leakage Template Construction Source Code Analysis Analyzing Programs Applications and Implications Conclusion III Appendix 153 Bibliography 155 List of Figures 174 List of Tables 176 About the Author 179 Publications 181 xiv

15 Chapter 1 Introduction This chapter outlines the work presented in this thesis. The two main aspects of this work, namely cryptographic implementation and side channel analysis, are set into the context of the ongoing research in applied cryptography and embedded security. The Motivation is followed by a summary of the research contributions presented in this thesis. Contents of this Chapter 1.1 Motivation Summary of Research Contributions Motivation Increasingly, many devices of everyday life are equipped with computing power. Not only luxury products such as cars and mobile phones are provided with computing capabilities that twenty years ago could be achieved by super computers only. Even much simpler devices including many home appliances or even throw-away products like printer cartridges feature computing capabilities in form of small and cheap microcontrollers. Today, already more than 98% of all manufactured microprocessors are employed in embedded applications rather than in traditional personal computers. An increasing number of these embedded devices are enabled to communicate amongst each other and form networks. This upcoming trend is usually referred to as pervasive computing. Examples of pervasive applications include RFID tags, admission tickets, ID cards, payment via mobile phone or even public transportation passes. Many new and useful services for end users as well as industry are enabled by the capability of these devices to communicate and interact. Accordingly, pervasive systems proliferate at an increasing speed. A side effect of the increasing interconnectedness is a possible vulnerability of these embedded systems. Attacks that have formerly been restricted to PCs can suddenly be launched against cars, tickets, ID cards or even pacemakers. At the same time the security awareness of users and manufacturers of such systems is much lower than in classical PC environments. This renders security one key aspect of embedded systems, and certainly of most pervasive computing applications.

16 Chapter 1. Introduction Cryptography provides many of the security services required by pervasive applications. Yet, due to tight constraints in cost and computing power efficient hardware and software implementations of cryptographic algorithms are of utmost importance to enable the vision of pervasive computing. The computational complexity inherent in ciphers poses a major challenge on system designers and implementers. One of the biggest challenges is the implementation of public key cryptography on embedded devices. Even optimized implementations of asymmetric algorithms, e.g., elliptic curve cryptography (ECC), are orders of magnitude more expensive than established symmetric primitives like the AES. Yet, asymmetric primitives are required for many security services, such as key establishment between parties and digital signatures. Many applications like car-to-car communication, ecash or the prevention of product counterfeiting can only be realized with asymmetric cryptography, making efficient asymmetric schemes a technology enabler. In practice, almost all security implementations in use nowadays employ RSA, ElGamal, or ECC as asymmetric scheme. However, these cryptosystems rely on two related security primitives, namely the factoring problem (FP) and the discrete logarithm problem (DLP), which are also known to be closely related. With a significant breakthrough in cryptanalysis or a major improvement of the best known attacks on these problems a large number of currently employed cryptosystems may turn out to be insecure overnight. While the design of efficient symmetric ciphers is well understood and a possibly broken cipher can usually be replaced quite easily for symmetric systems, the situation for asymmetric cryptography is different. Only few alternative algorithms that depend on other security assumptions have been proposed as alternative or even replacement for the abovementioned prevailing primitives. Yet, as the establishment of RSA and later ECC have shown, asymmetric primitives need a thorough study of implementational aspects until they reveal their full potential. One factor that has been out of scope of scientific research on many of these alternative primitives is the efficiency with regard to implementation on embedded systems. Not only is it desirable to have alternatives ready for the case RSA and ECC might get broken. Some of the alternative schemes can also turn out to be more efficient than current schemes, possibly possessing better implementation properties than prevailing ones. Accordingly, the study of implementational aspects of alternative public key cryptosystems can influence the cost, performance, and security of future embedded security applications. But efficient implementation of cryptography is only one aspect of embedded security. Other security aspects need to be considered when building secure embedded crypto systems. In classical scenarios malicious attacks targeted wired or wireless communication interfaces. Of course these classical attack scenarios like viruses, trojan horses, spoofing, phishing or denial of service attacks also exist for pervasive systems. But there are also new attacks that can typically not be executed on classical PC systems. Since an attacker usually has physical access to an embedded device, a whole new class of attacks, so called physical attacks, become highly relevant. Having access to the device enables the attacker to monitor the device or even tamper with it while the device is performing security critical operations, i.e., cryptographic algorithms. By measuring so-called side channels such as the power consumption or the electromagnetic emanation of a device the attacker gains additional information finally enabling her to break the cryptographic scheme. This class of attacks is usually referred to as side channel analysis. Specifically power 2

17 1.2 Summary of Research Contributions analysis and EM analysis are some of the strongest attacks targeting cryptographic implementations. At the same time they are most difficult to prevent. These relatively new attacks easily break implementations of mathematically highly secure standards, such as AES and RSA. Though many countermeasures have been discussed, they are usually quite costly in terms of execution time, power consumption, and code size or area in software or hardware, respectively. This collides with tough cost constraints in embedded systems design, putting great challenges on designers and implementers of embedded security solutions. Affordable methods for preventing physical attacks are of high importance for implementers. At the same time better methods for analysis lead to a more thorough understanding of side channel leakage and, consequently, smarter countermeasure designs. Only well understood methods can then also be integrated into standardized design flows, for which a reliable prediction of side channel leakage is required. This thesis focuses on two of the most pressing problems in current embedded cryptology research: Implementational aspects of alternative public key cryptosystems are discussed in the first part of this thesis. The second part of this thesis explores how to efficiently analyze the side channel resistance of embedded systems and presents new applications for side channel methods. 1.2 Summary of Research Contributions One important aspect of the design of cryptography for embedded systems are the tough cost constraints. This is why usually specialized implementations are realized. The designs are implemented either in hardware, namely as ASIC or FPGA, or on constrained software platforms, usually on microcontrollers. A key issue of this thesis is the design and implementation of applied cryptography for embedded systems, including software implementations for embedded processors and hardware implementations for FPGAs. We 1 focus on the efficient implementation of asymmetric cryptosystems, because in contrast to the identified need for alternatives, almost no prior work has been performed with regard to embedded systems. For hardware applications, FPGAs are the ideal platform for prototyping and low-quantity product lines. Our hardware implementations are based on the low-cost Xilinx Spartan 3 series, as it provides good performance at a low cost. At the same time FPGA implementations also give an approximation for the complexity of an ASIC implementation. Embedded systems featuring software implementations are still predominated by 8-bit microcontrollers, due to their low cost and low power consumption. For this case efficient implementation is even more critical, as 8-bit platforms are usually very constrained in computing power and memory resources. For all implementations we used the Atmel AVR family of microcontrollers. AVR microcontrollers are available from very simple and hence cheap devices up to devices featuring orders of magnitude more memory and lots of integrated peripherals. Yet, all can be programmed using the same instruction set, making the presented implementations available to a wide range of products. 1 Though this thesis represents my own work, some parts result from joint research projects with other contributors. Therefore, I prefer to use we rather than I throughout this thesis. 3

18 Chapter 1. Introduction Another topic focused in this thesis is the analysis of side channel attacks, their implications, and countermeasures. Side channel analysis is a major concern for embedded security design. Methods for analyzing security properties are inevitable for finding efficient and effective security solutions. For exploring the vulnerability of embedded systems to side channel attacks, ASIC designs and FPGA designs do not compare very well. Due to the structure of FPGAs, their leakage is different to the leakage of ASICs. Furthermore, studying the leakage of FPGA implementation is more comparable to that of software implementations. Once a side channel measurement environment is set up, modifications can be reloaded quickly to the system to study the effects on the leakage. In the ASIC case, new measurements are always delayed by the ASIC s long and expensive production cycles. This is also the reason for the availability of complex and accurate simulation tools for ASIC designs. Contrary to microcontroller designs, these tools need to be utilized for predicting side channel leakages as well. This thesis shows how side channel methods are applied in practice and how to analyze side channel properties based on simulation only. Possible implications and benefits for other areas of research, especially for reverse engineering and forensics, have not been studied extensively, yet. We also explore some application scenarios of side channel analysis outside of cryptanalysis and present feasible methods for these applications Post Quantum Cryptography Theoretic research and cryptanalysis of a cryptosystem increases the credibility of the schemes while researching the implementational aspects increases the usability of a cryptosystem. This part focuses on the latter point, namely on the implementational aspects of a family of public key cryptosystems, so-called post quantum cryptosystems. Post quantum cryptosystems rely on different security assumptions than the prevalent asymmetric schemes, i.e., RSA and ECC. As the name implies the discussed schemes are also believed to resist cryptanalysis based on quantum computers, if parameters are chosen correctly. Our focus is to identify public key cryptosystems that achieve comparable performance to the prevalent ones while relying on different security assumptions, to foster variety of adopted public key schemes. An overview to post quantum cryptography is given in Chapter 2. Merkle Signature Scheme The Merkle Signature Scheme is a signature scheme based on the repeated use of a secure oneway function, typically a hash function. The security of Merkle signatures can be proved based on the security of the underlying one-way function. Several of the scheme s parameters influence properties like signature performance, signature size and key sizes, and security level. The performance also relies strongly on the performance of the employed one-way function, making the study of hash functions for embedded systems an important issue. One-way functions are mostly optimized for software implementation. Due to the flexibility of the scheme and the strong reliance on the performance of the one-way function, we implemented Merkle signatures in software. In this context we also explored whether an existing symmetric crypto engine of a 4

19 1.2 Summary of Research Contributions system can also be used to strongly increase the performance of the signature engine. Details of the implemented scheme are presented in Chapter 3. Parts of the presented work have been published by the author as [RED + 08a] and [RED + 08b]. Multivariate Quadratic Signatures Another class of signature schemes is based on the problem of solving multivariate quadratic equations, which is known to be NP-complete. The core operations for generating multivariate signatures are matrix-vector multiplication and solving systems of linear equations. Both tasks can be efficiently performed on modern hardware platforms such as FPGAs. Another advantage of modern FPGAs are large integrated block RAMs that can be used to store the rather large keys of multivariate quadratic schemes. Parts of this work presented in Chapter 4 have been published as [BERW08]. McEliece Encryption For completing the portfolio of alternative crypto schemes, we still miss an asymmetric encryption scheme. The McEliece encryption scheme has already been proposed in the seventies and has withstood all major cryptanalysis since. It has received only little attention by implementers due to its large key size. The constantly increasing memory sizes in embedded systems, true for microcontrollers as well as FPGAs, make McEliece more realistic. At the same time new methods for decreasing the key size or even generating the key on-the fly have shifted the attention back to this scheme. Software and hardware implementation of this scheme are presented in Chapter 5. This work is to appear in [EGHP09] Side Channel Analysis Side Channel Analysis has received substantial improvement in the last decade. One area of high activity is power and electromagnetic analysis where many improved analysis methods and especially countermeasures have been developed. This work outlines the potential of side channel methods in embedded crypto design, for analysis of cryptographic implementations, and also the yet mostly undiscussed perspective of applications outside of cryptography. We want to show ways to effectively perform power analysis in practice as well as methods enabling to predict power leakage based on simulation. Finally we show that the developed methods can also be applied to other problems in embedded systems analysis outside of cryptography. An overview of side channel analysis with a focus on differential power analysis is given in Chapter 6. Simulation of Power Analysis Attacks Simulation of the power consumption of ASICs has many advantages compared to real measurements. Simulations feature perfect reproducibility, are almost noise free, make advanced 5

20 Chapter 1. Introduction measurement setup superfluous, but most of all they can be performed before a final chip has been manufactured. Hence, simulations are very interesting for exploring the behavior of cryptographic hardware designs. This is especially true for investigating the leakage of hardware countermeasures and other special hardware constructions. The advantages of course come at the price of just working on models, so the outcome in some cases slightly differs from real circuits. Simulating large circuits at high accuracy can furthermore become very time consuming because of the increasing computational complexity of the simulation. A thorough discussion with several example applications is presented in Chapter 7. Some of the results have been published in [RBE + 07, REG + 07, REB + 08, MEP + 08, REP + 09]. A Practical Side Channel Attack: Breaking KeeLoq Side channel attacks have often been considered as a very theoretical attacking method. They are mostly performed by security evaluation labs and universities, usually on known implementations. Performing an attack in a black-box scenario reveals many pitfalls that are often left unconsidered when performing attacks in a white-box scenario and in fully controlled lab environments. It also shows the possible implications that the failure of a cryptographic component can jeopardize the security of the whole system. A description of the attack and its implications is given in Chapter 8. The attack has been published as [EKM + 08]. Side Channel Analysis for Recovering Programs Side channel analysis is a strong method to break cryptographic implementations by recovering the key. The methods have been improved for more than ten years by a large research community. The methods allow for extracting much information about inner behavior of the target device. Besides information about the processed data, the power and EM side channels contain additional information about the inner behavior of the target device. Side channel methods have even been proposed to detect trojans in ASIC architectures [ABK + 07]. For embedded microprocessors, reliably recovering information such as the executed instructions turns out to be feasible. Side channel methods, especially so-called template attacks, turn out to be a very handy tool for these applications. A methodology to recover executed instructions from side channel information only is presented in Chapter 9. This work is to be published in conjunction with Christof Paar and Björn Weghenkel. 6

Physical Unclonable Functions Protecting next-generation Smart Card ICs with SRAM-based s The use of Smart Card ICs has become more widespread, having expanded from historical banking and telecommunication

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

School of Computing FACULTY OF ENGINEERING MEng, BSc Applied Computer Science Year 1 COMP1212 Computer Processor Effective programming depends on understanding not only how to give a machine instructions

A New Class of Public Key Cryptosystems Constructed Based on Reed-Solomon Codes, K(XII)SEPKC. Along with a presentation of K(XII)SEPKC over the extension field F 2 8 extensively used for present day various

IoT Security Platform 2 Introduction Wars begin when the costs of attack are low, the benefits for a victor are high, and there is an inability to enforce law. The same is true in cyberwars. Today there

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

SECURITY IN LOW RESOURCE ENVIRONMENTS SECURERF WHITE PAPER The discovery of a decades old technology is now promoted by many as the Next Big Thing. This discovery, Radio Frequency Identification (RFID),

School of Computing FACULTY OF ENGINEERING MEng, BSc Computer Science with Artificial Intelligence Year 1 COMP1212 Computer Processor Effective programming depends on understanding not only how to give

Page 2 Table of contents 1.Context... 3 What is the problem with current cryptographic techniques?... 3 2.Current Quantum Key Distribution (QKD)... 4 What is Quantum Cryptography?... 4 How does QKD improve

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis by Susana Sin A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master

International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

Introduction to post-quantum cryptography Daniel J. Bernstein Department of Computer Science, University of Illinois at Chicago. 1 Is cryptography dead? Imagine that it s fifteen years from now and someone

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public